At SafeDep we operate a large scale malicious package scanning infrastructure. Using it, we continuously monitor npm
and pypi
package registries for malicious packages. Unlike vulnerabilities, malicious packages are not reported voluntarily by developers, so we need real-time detection. We perform this analysis using a combination of static code analysis and LLM based analysis. Learn more on how to use malicious package analysis with vet.
False positive is a common problem of any tool that employs static code analysis. Particularly for malicious package analysis, our goal is to reduce false positives to minimize the efforts required in manual triage. Towards this, we built an experimental Model Context Protocol (MCP) server that can help an MCP Clients like Claude Desktop to perform an additional layer of analysis for packages that are classified as malicious by our real-time scanning infrastructure. Particularly, we wanted to give the LLM access to all the tools and resources that we employ in our analysis pipeline. This includes
A simplified architecture of the setup is shown below.
While the results are promising and exciting for us but there is a long way to go to productionize this. For example, our automated systems that monitor public package registries use statically coded workflows and operate at < 10% time cost of the agentic execution currently. It also minimizes LLM calls by leveraging static code analysis and opinionated rules to scale much better.
Given below is an unedited result of Claude Desktop running our agentic workflow for a malicious package flagged by our real-time scanning infrastructure. Typically it requires us to manually triage the package and then provide a detailed analysis.
NOTE: If you believe ok-script
is wrongly flagged as malicious, please drop us a note with supporting evidences to [email protected]
.
ok-script 0.0.504 exhibits strong indicators of malicious intent, including obfuscated functionality, suspicious binary components, and potentially harmful system manipulation capabilities.
Attribute | Value |
---|---|
Package Name | ok-script |
Version | 0.0.504 |
Repository | https://github.com/ok-oldking/ok-script |
Risk Level | π΄ HIGH |
ok/__init__.cp312-win_amd64.pyd
(2.7MB)application/vnd.microsoft.portable-executable
with extension .exe
__init__.py
fileGitUpdater.py
) that:# Suspicious process termination code from GitUpdater.pydef wait_kill_pid(pid): process = psutil.Process(pid) process.terminate() process.wait(timeout=30) logger.info(f'kill process {pid} exists {psutil.pid_exists(pid)}')
Repository Attribute | Observation | Risk Indication |
---|---|---|
Creation Date | December 2023 | Recent creation despite high version number |
Content | Nearly empty (only README.md) | Repository likely just a placeholder |
Activity | Very limited (2 commits) | No development activity matching binary complexity |
Latest Commit | March 2025 | Very recent activity |
The package imports numerous sensitive modules:
psutil
(process manipulation)win32api
, win32security
(Windows system API access)subprocess
(command execution)GitUpdater.py
) detects version differences# GithubMultiDownloader.py contains a list of proxy servers for evading detectiondownload_url_us = [ ['https://gh.h233.eu.org/https://github.com', 'ηΎε½', '[ηΎε½ Cloudflare CDN] - θ―₯ε
¬ηε ιζΊη± [@X.I.U/XIU2] ζδΎ'], ['https://gh.ddlc.top/https://github.com', 'ηΎε½', '[ηΎε½ Cloudflare CDN] - θ―₯ε
¬ηε ιζΊη± [@mtr-static-official] ζδΎ'], ['https://dl.ghpig.top/https://github.com', 'ηΎε½', '[ηΎε½ Cloudflare CDN] - θ―₯ε
¬ηε ιζΊη± [feizhuqwq.com] ζδΎ'], # ... additional proxy servers omitted]
# Code from GitUpdater.py showing remote execution capabilitiesdef start_app(self): communicate.update_running.emit(True, True) logger.info(f'start_app enter') try: new_ver = self.starting_version entry = 'main.py'
script_path = os.path.join('repo', new_ver, entry) # [...snip...] process = subprocess.Popen( [python_path, script_path, f'--parent_pid={os.getpid()}'], creationflags=subprocess.CREATE_NO_WINDOW, close_fds=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE )
pip uninstall ok-script
Conclusion: This package exhibits multiple high-risk indicators consistent with malware. The combination of obfuscated binary code, system manipulation capabilities, and auto-update mechanisms strongly suggests this package is designed for unauthorized access and remote control of affected systems.
Join thousands of developers and organizations who trust SafeDep to protect their software supply chain.